DomStorm : TestHarness: Allowed Request Headers by XHR

Results

This browser ran the most recent scan

Tested on

Chrome - 94 - undefined

Result	Test Name	Message
PASS	Header: "accept-charset" should not be allowed
PASS	Header: "accept-encoding" should not be allowed
PASS	Header: "access-control-request-headers" should not be allowed
PASS	Header: "access-control-request-method" should not be allowed
PASS	Header: "connection" should not be allowed
PASS	Header: "content-length" should not be allowed
PASS	Header: "cookie" should not be allowed
PASS	Header: "cookie2" should not be allowed
PASS	Header: "date" should not be allowed
PASS	Header: "dnt" should not be allowed
PASS	Header: "expect" should not be allowed
PASS	Header: "host" should not be allowed
PASS	Header: "keep-alive" should not be allowed
PASS	Header: "origin" should not be allowed
PASS	Header: "referer" should not be allowed
PASS	Header: "te" should not be allowed
PASS	Header: "trailer" should not be allowed
PASS	Header: "transfer-encoding" should not be allowed
PASS	Header: "upgrade" should not be allowed
PASS	Header: "user-agent" should not be allowed
PASS	Header: "via" should not be allowed
PASS	Header: "proxy-" should not be allowed
PASS	Header: "proxy-xyz" should not be allowed
PASS	Header: "sec-" should not be allowed
PASS	Header: "sec-xyz" should not be allowed

Tested on

Chrome Mobile - 83 - Android

Result	Test Name	Message
PASS	Header: "accept-charset" should not be allowed
PASS	Header: "accept-encoding" should not be allowed
PASS	Header: "access-control-request-headers" should not be allowed
PASS	Header: "access-control-request-method" should not be allowed
PASS	Header: "connection" should not be allowed
PASS	Header: "content-length" should not be allowed
PASS	Header: "cookie" should not be allowed
PASS	Header: "cookie2" should not be allowed
PASS	Header: "date" should not be allowed
PASS	Header: "dnt" should not be allowed
PASS	Header: "expect" should not be allowed
PASS	Header: "host" should not be allowed
PASS	Header: "keep-alive" should not be allowed
PASS	Header: "origin" should not be allowed
PASS	Header: "referer" should not be allowed
PASS	Header: "te" should not be allowed
PASS	Header: "trailer" should not be allowed
PASS	Header: "transfer-encoding" should not be allowed
PASS	Header: "upgrade" should not be allowed
PASS	Header: "user-agent" should not be allowed
PASS	Header: "via" should not be allowed
PASS	Header: "proxy-" should not be allowed
PASS	Header: "proxy-xyz" should not be allowed
PASS	Header: "sec-" should not be allowed
PASS	Header: "sec-xyz" should not be allowed

Tested on

Chromium - 45 - Ubuntu

Result	Test Name	Message
PASS	Header: "accept-charset" should not be allowed
PASS	Header: "accept-encoding" should not be allowed
PASS	Header: "access-control-request-headers" should not be allowed
PASS	Header: "access-control-request-method" should not be allowed
PASS	Header: "connection" should not be allowed
PASS	Header: "content-length" should not be allowed
PASS	Header: "cookie" should not be allowed
PASS	Header: "cookie2" should not be allowed
PASS	Header: "date" should not be allowed
PASS	Header: "dnt" should not be allowed
PASS	Header: "expect" should not be allowed
PASS	Header: "host" should not be allowed
PASS	Header: "keep-alive" should not be allowed
PASS	Header: "origin" should not be allowed
PASS	Header: "referer" should not be allowed
PASS	Header: "te" should not be allowed
PASS	Header: "trailer" should not be allowed
PASS	Header: "transfer-encoding" should not be allowed
PASS	Header: "upgrade" should not be allowed
PASS	Header: "user-agent" should not be allowed
PASS	Header: "via" should not be allowed
PASS	Header: "proxy-" should not be allowed
PASS	Header: "proxy-xyz" should not be allowed
PASS	Header: "sec-" should not be allowed
PASS	Header: "sec-xyz" should not be allowed

Tested on

Firefox - 70 - Windows 10

Result	Test Name	Message
PASS	Header: "accept-charset" should not be allowed
PASS	Header: "accept-encoding" should not be allowed
PASS	Header: "access-control-request-headers" should not be allowed
PASS	Header: "access-control-request-method" should not be allowed
PASS	Header: "connection" should not be allowed
PASS	Header: "content-length" should not be allowed
PASS	Header: "cookie" should not be allowed
PASS	Header: "cookie2" should not be allowed
PASS	Header: "date" should not be allowed
PASS	Header: "dnt" should not be allowed
PASS	Header: "expect" should not be allowed
PASS	Header: "host" should not be allowed
PASS	Header: "keep-alive" should not be allowed
PASS	Header: "origin" should not be allowed
PASS	Header: "referer" should not be allowed
PASS	Header: "te" should not be allowed
PASS	Header: "trailer" should not be allowed
PASS	Header: "transfer-encoding" should not be allowed
PASS	Header: "upgrade" should not be allowed
FAIL	Header: "user-agent" should not be allowed	assert_false: Header 'user-agent' was allowed expected false got true
PASS	Header: "via" should not be allowed
PASS	Header: "proxy-" should not be allowed
PASS	Header: "proxy-xyz" should not be allowed
PASS	Header: "sec-" should not be allowed
PASS	Header: "sec-xyz" should not be allowed

Tested on

Googlebot - 2.1 - undefined

Result	Test Name	Message
PASS	Header: "accept-charset" should not be allowed
PASS	Header: "accept-encoding" should not be allowed
PASS	Header: "access-control-request-headers" should not be allowed
PASS	Header: "access-control-request-method" should not be allowed
PASS	Header: "connection" should not be allowed
PASS	Header: "content-length" should not be allowed
PASS	Header: "cookie" should not be allowed
PASS	Header: "cookie2" should not be allowed
PASS	Header: "date" should not be allowed
PASS	Header: "dnt" should not be allowed
PASS	Header: "expect" should not be allowed
PASS	Header: "host" should not be allowed
PASS	Header: "keep-alive" should not be allowed
PASS	Header: "origin" should not be allowed
PASS	Header: "referer" should not be allowed
PASS	Header: "te" should not be allowed
PASS	Header: "trailer" should not be allowed
PASS	Header: "transfer-encoding" should not be allowed
PASS	Header: "upgrade" should not be allowed
PASS	Header: "user-agent" should not be allowed
PASS	Header: "via" should not be allowed
PASS	Header: "proxy-" should not be allowed
PASS	Header: "proxy-xyz" should not be allowed
PASS	Header: "sec-" should not be allowed
PASS	Header: "sec-xyz" should not be allowed

Tested on

Safari - 7 - Mac OS X

Result	Test Name	Message
PASS	Header: "accept-charset" should not be allowed
PASS	Header: "accept-encoding" should not be allowed
PASS	Header: "access-control-request-headers" should not be allowed
PASS	Header: "access-control-request-method" should not be allowed
PASS	Header: "connection" should not be allowed
PASS	Header: "content-length" should not be allowed
PASS	Header: "cookie" should not be allowed
PASS	Header: "cookie2" should not be allowed
PASS	Header: "date" should not be allowed
PASS	Header: "dnt" should not be allowed
PASS	Header: "expect" should not be allowed
PASS	Header: "host" should not be allowed
PASS	Header: "keep-alive" should not be allowed
PASS	Header: "origin" should not be allowed
PASS	Header: "referer" should not be allowed
PASS	Header: "te" should not be allowed
PASS	Header: "trailer" should not be allowed
PASS	Header: "transfer-encoding" should not be allowed
PASS	Header: "upgrade" should not be allowed
PASS	Header: "user-agent" should not be allowed
PASS	Header: "via" should not be allowed
PASS	Header: "proxy-" should not be allowed
PASS	Header: "proxy-xyz" should not be allowed
PASS	Header: "sec-" should not be allowed
PASS	Header: "sec-xyz" should not be allowed

User Script (TESTHARNESS)

					
<html>
<head>
<script src="/public/js/testharness-domstorm.js"></script>

<script>
// The userScript for the Module
// W3C Testharness.js
// Turotial: http://darobin.github.io/test-harness-tutorial/docs/using-testharness.html
// W3c Platform Tests: https://github.com/w3c/web-platform-tests
    setup({
            allow_uncaught_exception: true
    });
    
        function shouldReturnFalse(val) {
            test(function() {
                var client = new XMLHttpRequest();
                client.open("GET", "/helper/headers?filter=TEST", false); // we send this synchronously for testing
                client.setRequestHeader(val, "TEST");
                client.send(null);
                var headers = JSON.parse(client.responseText);
                //                console.log(val);
                //                console.log(headers);
                assert_false(headers.hasOwnProperty(val), "Header '" + val + "' was allowed");
                //assert_own_property(headers, val);
            }, "Header: \"" + val + "\" should not be allowed");
        }

        var data = ["Accept-Charset", "Accept-Encoding", "Access-Control-Request-Headers", "Access-Control-Request-Method", "Connection", "Content-Length", "Cookie", "Cookie2", "Date", "DNT", "Expect", "Host", "Keep-Alive", "Origin", "Referer", "TE", "Trailer", "Transfer-Encoding", "Upgrade", "User-Agent", "Via", "Proxy-", "Proxy-XYZ", "Sec-", "Sec-XYZ"];

        for (var i = 0; i < data.length; i++) {
            var val = data[i].toLowerCase();
            shouldReturnFalse(val);
        };
</script>

</head>
<body>
Testing using W3C TestHarness.js for XHR Methods
</body>
</html>

TestHarness: Allowed Request Headers by XHR

Allowed Request Headers by XHR using testharness.js

Results

User Script (TESTHARNESS)